10 Live Indirect Prompt Injection Payloads Found Targeting AI Agents in the Wild

What is it?

Forcepoint X-Labs and Google published independent research in April 2026 documenting indirect prompt injection attacks found in the wild — not theoretical proofs-of-concept. The attacks embed invisible instructions in web pages (hidden via pixel-shrinking, color draining, HTML comments, or metadata) that trigger when AI agents browse or summarize those pages. Forcepoint catalogued 10 distinct attack payloads across live websites; Google scanned billions of pages and found a 32% increase in malicious injections between November 2025 and February 2026.

How does it work?

When an LLM-powered agent reads a web page containing hidden instructions, it treats those instructions as trusted directives. Real payloads discovered include: instructions to run `rm -rf` on AI coding tool environments with shell access; embedded PayPal links with fixed $5,000 amounts targeting payment-capable agents; commands to extract and exfiltrate API keys; and false copyright notices suppressing agent responses. Forcepoint found shared injection templates across multiple domains, suggesting organized tooling rather than isolated experiments.

Why does it matter?

The threat is no longer hypothetical — these payloads exist on live websites right now. The severity scales directly with agent permissions: a browser summarization agent is low risk, but an agentic IDE with shell access or an agent that can execute payments is a high-value target. The 32% year-over-year growth in malicious injections tracked by Google signals an active and growing adversarial ecosystem targeting AI agents.

Who is it for?

Security teams and developers deploying AI agents with web access or shell execution permissions

Tags

• security
• prompt-injection
• llm-security
• agents
• forcepoint
• google
• agentic-ai
• credential-theft
• in-the-wild